But seriously, this is not so tragic. That's because the government watches terrorist internet activity closely, so that any bad guy trying to pull this SQL trick is going to be intercepted by highly competent cyber-cops and will never receive the data he requested from the server. In other words, you can be assured that only the good guys are able to view your personal data and you've nothing to hide from the good guys after all.

But seriously, this is not so tragic. That's because the government watches terrorist internet activity closely, so that any bad guy trying to pull this SQL trick is going to be intercepted by highly competent cyber-cops and will never receive the data he requested from the server. In other words, you can be assured that only the good guys are able to view your personal data and you've nothing to hide from the good guys after all.

I just want to congratulate everyone involved with this story on bringing about a fix for the problem. If only there were more well-behaved developers pointing out (rather than exploiting) security holes, and companies being receptive to said notifications (instead of being defensive and accusatory).

But seriously, this is not so tragic. That's because the government watches terrorist internet activity closely, so that any bad guy trying to pull this SQL trick is going to be intercepted by highly competent cyber-cops and will never receive the data he requested from the server. In other words, you can be assured that only the good guys are able to view your personal data and you've nothing to hide from the good guys after all.

Challenge: make a comment that is so obviously sarcastic it is impossible that someone in the world is the dumb enough to actually think that way.
Hint: this is impossible.

When a corporation does this, they take a huge hit in the form of lawsuits, stock drops, and lost business. When the government does it, it's a big brouhaha news story, maybe one person gets fired, and then it's back to business as usual.

Euhm, Alex, the blurring of the email addresses in that last picture doesn't really work, I can figure almost all of them out. Might want to use a black pen next time instead of blurring. The Social Security numbers are blurred a bit better, but still it would be better still to use a black pen in whatever photo editing program you are using,

I just want to congratulate everyone involved with this story on bringing about a fix for the problem. If only there were more well-behaved developers pointing out (rather than exploiting) security holes, and companies being receptive to said notifications (instead of being defensive and accusatory).

Again, well done.

Receptive? They failed, the first time, they took the site down only to have it come up with a failure, a band aid solution. Second time, they resorted to just taking the whole thing down. Agreed on the accusatory nature of organisations though.

And don't think about congratulating the IT department. This is a disaster. I seriously hope those directly responsible for this are not only fired, sued and maybe even locked up or a shit load of community service. This is an utter failure in their duty of care, why the fuck would you take on a role on a project involving sensitive data if you have any idea how incompetent you are? Sad thing is they probably don't know that, and neither does management.

I started the story and thought "seriously now, people working for the government don't know about validating input fields for SQL injection?"... but then I get passing the query in the URL and comments describing the schema in public-readable comments. That is a pretty epic level of WTF.

I'm glad you are honest and moral. Also I would have gone straight to the news to ensure that they get their asses whooped for doing something so amazingly stupid and so nasty for regular folks completely unsuspecting.